Legal dictionary

Plain-English definitions for terms that appear in privacy policies, data processing agreements, and generated documents. This is not legal advice.

Controller

The entity that decides why and how personal data is processed. Under GDPR, the controller carries primary legal responsibility for that processing.

Processor

An entity that processes personal data on behalf of a controller. A processor must follow the controller's documented instructions.

Data Subject

The individual whose personal data is being processed.

Personal Data

Any information relating to an identified or identifiable natural person. Includes names, emails, IP addresses, device identifiers, and more.

Sensitive Personal Data

A subset of personal data that requires stronger protection — racial/ethnic origin, health data, biometric data, religious beliefs, sexual orientation, political opinions, etc.

Processing

Any operation performed on personal data — collection, storage, use, transmission, deletion.

Lawful Basis

Under GDPR, one of six grounds required to process personal data: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Consent

Freely given, specific, informed, and unambiguous indication of the data subject's wishes. Silence, pre-ticked boxes, or inactivity do not constitute consent.

Legitimate Interests

A lawful basis for processing where the controller's legitimate interests are not overridden by the rights and interests of the data subject.

DSAR

Data Subject Access Request — a formal request from an individual to exercise their rights under data protection law (access, deletion, portability, etc.).

DPO

Data Protection Officer — the individual responsible for overseeing an organisation's data protection strategy and compliance.

DPIA

Data Protection Impact Assessment — a process to identify and minimise data protection risks in a project. Required for high-risk processing.

SCC

Standard Contractual Clauses — EU Commission-approved contract terms used to safeguard personal data transferred outside the EEA.

SCCs (UK)

International Data Transfer Agreement (IDTA) or UK Addendum — the UK equivalents of SCCs used to safeguard transfers out of the UK.

GDPR

General Data Protection Regulation — the EU's comprehensive data protection law. Took effect 25 May 2018.

UK GDPR

The UK's retained version of the EU GDPR, in force since Brexit and tailored via the Data Protection Act 2018.

CCPA

California Consumer Privacy Act — gives California residents rights over personal information collected by businesses.

CPRA

California Privacy Rights Act — amended and strengthened the CCPA, effective 1 January 2023. Introduced the "sensitive personal information" category.

LGPD

Lei Geral de Proteção de Dados — Brazil's comprehensive data protection law, closely modelled on GDPR.

PIPEDA

Personal Information Protection and Electronic Documents Act — Canada's federal private-sector privacy law.

POPIA

Protection of Personal Information Act — South Africa's data protection law.

Global Privacy Control

A browser-level signal (GPC) that communicates the user's opt-out preference automatically. Recognised under CCPA/CPRA.

IAB TCF

IAB Europe's Transparency and Consent Framework — the industry standard for signalling consent in digital advertising.

Google Consent Mode

A Google framework that adjusts Google tag behaviour based on a user's consent state. v2 is mandatory in the EEA for certain advertising features.

Sub-Processor

A third party engaged by a processor to perform specific processing on behalf of the controller. Customers are typically entitled to notice when sub-processors change.

Processing Agreement

Also called a Data Processing Agreement (DPA). The contract between a controller and processor that sets out processing instructions, confidentiality, and security obligations.

Binding Corporate Rules

Internal codes of conduct that allow multinational companies to transfer personal data between group entities across borders.

Right to Erasure

Also called the "right to be forgotten". A data subject's right to have their personal data deleted under certain conditions.

Data Portability

The right to receive one's personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Pseudonymisation

Processing personal data so it can no longer be attributed to a specific person without additional information kept separately.

Anonymisation

Irreversibly removing the link between data and an identifiable individual. Truly anonymised data falls outside GDPR.

Breach Notification

The obligation to notify a supervisory authority (and sometimes affected individuals) of a personal data breach, typically within 72 hours under GDPR.